log2timeline is designed as a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.

+

SQLite databases are used by many programs including several forensics tools, e.g. [[Autopsy]] 3.

+

SQLite 3 is current and older SQLite packages cannot use sqlite3 databases so use sqlite3 tools.

−

The tool is written in Perl for Linux but has been tested using Mac OS X (10.5.7 and 10.5.8). Parts of it should work natively in Windows as well (with ActiveState Perl installed).

+

== SQLite3 ==

−

==Description==

+

SQLite version 3 uses a page-based storage where the pages are used for various types of data e.g. there are:

−

log2timeline takes a log file (or a directory) and parses it to produce a body file that can be imported into other tools for timeline analysis. The tool has both a modular based approach to the input file as well as the output file. The current version supports exporting the timeline in a body format readable by TSK's (The SleuthKit) mactime. log2timeline is build as a series of scripts, this one being the front-end, which uses other scripts to actually parse the log files (called format files). The tool is build to be easily extended for anyone that wants to create a new format or an output file.

+

* lock-byte pages

+

* freelist pages

+

** freelist trunk pages

+

** freelist leaf pages

+

* B-tree pages

+

** table B-tree interior pages

+

** table B-tree leaf pages

+

** index B-tree interior pages

+

** index B-tree leaf pages

+

* payload overflow pages

+

* pointer map pages

−

As noted above the current supported output is the body format used by mactime. For further information about the ouptput format, please read [http://wiki.sleuthkit.org/index.php?title=Body_file Mactime Body Format]. Other output formats can be easily created by the use of an output file. The output file can be set to output in a body format that needs to be imported into another tool for human readable format, or it can be implemented to print the timeline directly in a human readable format.

+

=== Write-Ahead Log (WAL) ===

+

The default method by which SQLite implements atomic commit and rollback is a rollback journal. In version 3.7.0 a "Write-Ahead Log" option was added.

−

The tool is build using multiple so called format files, which are stored in the format folder. Each of those format files provide a single format that can be parsed, whether that is a log file or a directory containing some files that need to be parsed.

+

== Temporary sqlite files ==

+

Seen in e.g.

+

<pre>

+

/Users/%USERNAME%/AppData/Local/Temp/etilqs_%RANDOM%

+

</pre>

−

The purpose of the tool is to provide a single tool to parse various artifacts that are either produced by the suspsect operating system or other systems that might have some logs retaining to the investigation.

+

Where "etilqs" is "sqlite" in reverse

−

==Currently Supported Input Modules==

+

== Use Cases ==

+

=== Web Browser Data ===

+

[[Mozilla Firefox]] and [[Google Chrome]] both use SQLite version 3 databases for user data such as history, downloaded files.

−

The currently supported input modules (as of version 0.51 nightly build (20102608)) are:

+

=== Mobile OS ===

+

[[Google Android]] and [[Apple iOS]] use SQLite3 databases for many system applications. Phone data including calls, messages, and credentials are all stored in SQLite3.